The packet filter configuration is stored in the /etc/iptables.conf
file. Although it is technically possible to edit this file manually, it is not recommended to do so as the first two comment lines of the file warn as well even if manual configuration is chosen over ZMC-based graphical work.
# # This file is generated automatically from iptables.conf.in and iptables.conf.var. # Do not edit directly, regenerate it using iptables-gen.
To make packet filter configuration more error-resistant and easier, a frontend utility pack, the iptables-utils has been created where a couple of scripts help the creation and maintenance of packet filter rulesets. For more details on the iptables-utils, see chapter Packet Filtering.
Tip |
---|
Using iptables-utils is absolutely beneficial in the long term as the number of system closeouts -that is administrator lock-outs happen for example by activating an incorrect packet filter ruleset- can be dramatically decreased. It is especially favourable if the administrator is far away from the firewall. |
After installing the firewall a default ruleset is active. Since Zorp acts as a default-deny firewall, the ruleset allows only connections from the ZMS host machine specified during installation to the firewall and the outgoing connections originating from the firewall itself. Besides the iptables.conf
file which stores the currently active ruleset, the iptables.conf.in
file is also present in the system (/etc/iptables.conf.in
). For checking the differences between the two files in details, see Appendix A, Packet Filtering. The /etc/iptables.conf.var
file is also stored containing a single statement.
#define ZMSHOST <ip_address>
This entry allows you to refer to the ZMS host machine by the name ZMSHOST rather than by its IP address when editing the iptables.conf.in
file. These tools and the intermediate configuration files greatly help the administration of packet filter rulesets. However, an in-depth knowledge of iptables is still needed for the successful management of the packet filter.
For more information, see Appendix A, Packet Filtering on Zorp-specific configuration of IPTables, the installed manual pages of iptables (userland utility), and the documentation of Netfilter/IPTables project including a detailed tutorial and HOWTO documents accessible from Appendix C, Further readings.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu